External to DA, the OS X Way

External to DA, the OS X WayOperating in an OS X-heavy environment

Contents Introduction Overview Tradecraft Preparation Challenges The Agent Phishing Situational Awareness: Host Enumeration Privilege Escalation Persistence Situational Awareness: Network and User Enumeration Lateral Movement

Introductions Alex Rymdeko-Harvey is a previous US Army Solider that recently

transitioned and currently works at the Adaptive Threat Division at Veris Group as a Penetration Tester and Red Teamer. Alex has a wide range of skills and experience from offensive and defensive operations taking place in today's security surface.

Steve Borosh is a long-time security enthusiast. Prior: U.S. Army Infantry Combat Veteran and private security contractor. Currently working as a Penetration Tester, Red Teamer and Instructor with Veris Group’s Adaptive Threat Division. Steve enjoys bug hunting, building useful security tools and teaching.

Overview• Typical penetration tests cover Windows / Linux• Assessments become mundane• Client approaches with a large OS X user-base• Use common methodologies with new tools and

techniques adapted for OS X• Utilize EmPyre, a Remote Access Trojan based of of the

Empire framework

Adversarial Use• WireLurker (Trojanized applications, Infects connected ios

devices)• XcodeGhost (Infected xcode package in China)• Hacking Team (Remote Code Systems compromise platform)• OceanLotus (Flash Dropper, Download Mach-O binary)• KeRanger (Ransomware, Infected transmission package)

The Scenario•A client requests an external penetration test against their corporate infrastructure. •Phishing with payloads may be conducted with email addresses harvested from publicly available sources.•90% of users utilize OS X with several developers using Windows

Scenario: Goals• Phish OS X users• Elevate local privileges• Move Laterally if needed• Gain control of the Active Directory domain

Tradecraft Preparation• Planning and Preparation• Right tools for the job• Live off the land

• pbpaste• screencapture

• Native vs Non-Native• Methodology

• Reconnaissance• Exploitation (gain access)• Sitiuational Awareness• Escalate Privileges• Establish Persistence• Lateral Movement

Gain Access

Situational Awareness

Escalate Privileges

Establish Persistence

Lateral Movement

Challenges Limited information on operating in OS X environments No open-sourced asynchronous Remote Access Trojan

(RAT) Lateral Spread

OS X/Linux Windows

Less phishing payloads available No OLE Less executable types

The Agent: EmPyre

The Agent: EmPyre Remote Access Trojan (RAT) Python (core developed by @harmj0y) based on the

Empire project Asynchronous / C2 Secure Diffie-Hellman exchange communications Post-Exploitation modules OS X/Linux Launcher detects Little Snitch

The Agent: EmPyre The Diffie Hellman implementation is from Mark

Loiseau's project at https://github.com/lowazo/pyDHE, licensed under version 3.0 of the GNU General Public License.

The AES implementation is adapted from Richard Moore's project at https://github.com/ricmoo/pyaes, licensed under the MIT license.

Phishing Previous Tradecraft

Browser Exploits Java Payloads OLE Documents Macro Payloads

Phishing: Payload Generation 2015-7007 HTML Applescript launcher OS X Microsoft Office Macro

Supports 2011 2016 = “Sandbox”

Payload Generation

Situational Awareness: Host Previous Tradecraft

PowerShell WMI PowerUp

Cobalt Strike Beacon modules Meterpreter modules

The core of knowing your land How do we priv-esc?

Situational Awareness: Host Keylog Keychain Dump Clipboard Monitoring Scrape Messages Hash Dump Browser Dump

Situational Awareness: Keylogging Elevated Context Vital portion of our

tradecraft post exploitation

Situational Awareness: Clipboard Monitoring Non-Native method

Native pbpaste may be signatured by Carbon Black

Out to file

Situational Awareness: Keychain Dump Cleartext Keychain

Dump Versions Prior to OS

X El Capitan

Inspired / Adapted from Juuso: https://github.com/juuso/keychaindump

Situational Awareness: Search Messages Scrapes Message.app DB

iMessage, Jabber, Google Talk, Yahoo, AIM

Enumerate X messages Account Service Number message

Situational Awareness: Hashdump Local Hashes Hashcat format ready!

Situational Awareness: Browser Dump Dump Chrome Dump Safari Specify length

of output

Privilege Escalation Sudo

Spawn

Persistence Previous Tradecraft

Windows Registry Startup Folders WMI DLL Hijack Net user /add

Linux Crontab adduser

Persistence Login Hooks

Login persistence Crontab

Hourly persistence LaunchDaemon

Reboot persistence DyLib Hijacking

Application start persistence

Persistence: Login Hook - User Context Persistence Mac Login Hooks

Bash / Applescript execution Accessible to all users

Uses “Defaults” tool Sets com.apple.loginwindow

LoginHook

Persistence: Crontab Set persistence by

time Requires file on disk

Persistence: Launch Daemon Requires Sudo Spawns on reboot Spawns on agent loss

Persistence: Dylib Hijacking Hijack Scanner Module Based on @patrickwardle research

Persistence: Dylib Hijacking Hijacked Xcode

Situational Awareness: Network Previous Tradecraft

Arp Nmap Net Commands EyeWitness PowerView

Situational Awareness: Network

Group Policy Preferences

Active Directory Queries

Port Scanning

Web Discovery

Situational Awareness: Active Directory Modules situational_awareness/network/active_directory/get_computers situational_awareness/network/active_directory/

get_domaincontrollers situational_awareness/network/active_directory/get_fileservers situational_awareness/network/active_directory/get_groupmembers situational_awareness/network/active_directory/

get_groupmemberships situational_awareness/network/active_directory/get_groups situational_awareness/network/active_directory/get_ous situational_awareness/network/active_directory/get_userinformation situational_awareness/network/active_directory/get_users

Situational Awareness: GPP Group Policy Preferences

Pulls “Encrypted” passwords from SYSVOL MS14-025

https://raw.githubusercontent.com/leonteale/pentestpackage/master/Gpprefdecrypt.py

Situational Awareness: Finding the Domain Controller

Situational Awareness: LDAP Queries Utilizes LDAP queries to pull objects such as computers,

users, groups and more from Active Directory.

Situational Awareness: Web Services find_fruit module Checks for possible vulnerable web applications

Tomcat jboss idrac Apache Axis2 etc..

Lateral Movement Previous Tradecraft

Linux SSH Telnet Exploitation

Windows PSEXEC WMI Exploitation RDP

Lateral Movement Windows

Pivot to “Empire” Exploit Web Services

Lateral Movement Linux/OS X

SSH Commands SSH Launcher

Honorable Mention: REST API EmPyre implements the same RESTful API specification

as Empire https://github.com/PowerShellEmpire/Empire/wiki/RESTful-API

External users/projects can fully control an EmPyre server in a predictable way REST requests

This opens the possibility for web front ends, Android apps, multi-player CLI UIs, and more

What’s next Socks Proxy Community Modules More Exploitation Modules Merge with Empire

Thanks to @harmj0y, @xorrior, @CptJesus for their contributions to this effort!